Kare stresses that developers should not use Social Security numbers, phone numbers, or email addresses as customer identifiers. He says that a lack of authentication for logins could allow an attacker to scour an entire customer database. In one case he cites, a broken login was compounded by a lack of validation of user input, allowing an attacker to access credit histories and other sensitive financial information.
“We ran into our old friend BOPLA again – it turns out that an API with very weak authentication can be queried for a credit score,” explains Kare. “And guess what, not only can you pull information peru mobile database the victim and do a little identity theft, but you can also check how good a victim they are, how much credit can be obtained in their name.”
All of these can be easily fixed once discovered; but again, many companies don't discover API security flaws because they don't monitor them.
“Most retailers don’t find out they’ve been hacked, that their payment systems have been compromised, by their own free will. They’re told by their bank,” says Care. “When your security alerts come from outside, it’s not a pleasant experience, believe me.”
That's why it's important to start by discovering all available APIs and adding them to the registry, and then applying corporate security policies to all registered APIs, he says.
Tools like API inventory and API compliance products can help identify and assess APIs across an organization by integrating them into the CI/CD pipeline. And organizations should use API threat detection solutions that can block API attacks in real time.